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Information Disclosure Statement 

2. The Information disclosure statement (IDS) submitted on 07/17/2006 Is In 
compliance with the provisions of 37 CFR 1 .97. Accordingly, the Information disclosure 
statement is being considered by the examiner. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

3. Claims 15 and 22-22 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

Claim 15 Is directed towards "a stream of data traffic." A "stream of data traffic" 
Is descriptive material and therefore non-statutory subject matter. 

Claims 20-22 are directed towards "an apparatus". However the components of 
the "apparatus" are "a filter apparatus", "a disassembler", "an assembly instructions 
analyzer" and "a vulnerable return address detector" are show In the drawings and In 
the Specification as software modules (note Fig. 4, Specification page 5, lines 28-29). 
Therefore the claimed "apparatus" Is composed entirely of software and Is therefore 
non-statutory subject matter. 

Note MPEP 2106.01 for guidance on computer related statutory subject matter. 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the phor art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary sl^ill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 1 , 3 and 20 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 

over Vella (U.S. Patent Application Publication 2003/0212913), and further in view of 

Schmall ("Classification and identification of malicious code based on heuristic 

techniques utilizing Meta languages"). 

For claims 1 and 20, Vella teaches a method and apparatus for detecting 

malicious code in a stream of data traffic input to a gateway of a data network, the 

method comprising the steps of: 

(a) monitoring by the gateway for at least one suspicious portion of data in the 
stream of data traffic (note paragraphs [0055]-[0056]); 

(b) upon detecting said at least one suspicious portion of data, attempting to 
disassemble said at least one suspicious portion of data thereby attempting to produce 
disassembled code (note paragraph [0064]). 

Vella differs from the claimed invention in that he fails to teach: 
Wherein for each instruction in said disassembled code, 

(c) assigning respectively a threat weight for each said instruction; and 

(d) accumulating said threat weight to produce an accumulated threat weight. 
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Schmall teaches: 

Wherein for each instruction in said disassembled code, 

(c) assigning respectively a threat weight for each said instruction (note page 
146, "A heuristic engine based on a weight based system..."); and 

(d) accumulating said threat weight to produce an accumulated threat weight 
(note page 146, "A heuristic engine based on a weight based system..."). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the data analyzer of Vella and the weight based analyzing system 
of Schmall. It would have been obvious because a simple substitution of one known 
element (weight based analyzing of Schmall) for another (pattern matching of Vella) 
would yield the predictable results of identifying malicious code. 

For claim 3, the combination of Vella and Schmall teaches claim 1, wherein said 
monitoring is performed by skipping acceptable data in the stream of data traffic, said 
acceptable data being consistent with a protocol used by the data stream (note 
paragraph [0063] of Vella). 

5. Claims 11 and 16-17 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over the combination of Vella and Schmall as applied to claim 1 above, and further in 
view of Muttik (U.S. Patent 6,775,780). 
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For claims 1 1 and 16-17, the combination of Vella and Schmall teaches a 
method, program storage device and system for detecting malicious code in a stream of 
data traffic input to a gateway of a data network, the stream of data traffic including data 
packets, the method comprising the steps of: 

(a) monitoring by the gateway for at least one suspicious portion of data in the 
stream of data traffic (note paragraphs [0055]-[0056] of Vella); 

(b) upon detecting said at least one suspicious portion of data, attempting to 
disassemble said at least one suspicious portion of data thereby attempting to produce 
disassembled code (note paragraph [0064] of Vella). 

Wherein for each instruction in said disassembled code, 

(c) assigning respectively a threat weight for each said instruction (note page 
146, "A heuristic engine based on a weight based system..." of Schmall); and 

(d) accumulating said threat weight to produce an accumulated threat weight 
(note page 146, "A heuristic engine based on a weight based system..." of Schmall). 

The combination of Vella and Schmall differs from the claimed invention in that 
they fail to teach: 

wherein said threat weight for each said instruction is selectively either: 

(i) increased for a legal instruction, and 

(ii) decreased for an illegal instruction. 



Muttik teaches: 
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wherein said threat weight for each said instruction is selectively either: 

(i) increased for a legal instruction (note column 5, lines 14-21), and 

(ii) decreased for an illegal instruction (note column 5, lines 14-21). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the combination of Vella and Schmall and the negative and 
positive weights of Muttik. It would have been obvious because a simple substitution of 
one known element (negative and positive weights of Muttik) for another (weights only 
for suspicious activity of Schmall) would yield the predicable results of identifying 
malicious code (note column 5, lines 20-21 of Muttik). 

6. Claims 2, 6-7 and 14-15 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the combination of Vella Schmall and Muttik as applied to claims 1 
and 1 1 above, and further in view of Shipley (U.S. Patent 6,1 1 9,236). 

For claim 2, the combination of Vella and Schmall differs from the claimed 
invention in that they fail to teach: 

Wherein said at least one suspicious portion of data contains at least one illegal 
character in a protocol of the stream of data traffic. 

Shipley teaches: 

Wherein said at least one suspicious portion of data contains at least one illegal 
character in a protocol of the stream of data traffic (note column 6, lines 40-46). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the combination of Vella and Schmall and the protocol monitoring 
of Shipley. It would have been obvious because combining prior art elements according 
to known methods would yield the predictable results of identifying an intrusion attempt 
(note column 6, lines 45-46 of Shipley). 

For claim 6, the combination of Vella, Schmall and Shipley teaches claim 1, 
further comprising the step of: 

(e) upon said accumulated threat weight exceeding a previously defined 
threshold level, performing an action selected from the group of: 

(i) generating an alert (note page 146 of Schmall), and 

(ii) blocking traffic from the source of the suspicious data (note column 8, lines 5- 
8 of Shipley). 

For claim 7, the combination of Vella, Schmall and Shipley teaches claim 6, 
wherein said blocking is solely in the stream of data traffic. 

For claim 14, the combination of Vella, Schmall, Muttik and Shipley teaches claim 
1 1 , further comprising the steps of: 
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(e) receiving tlie data packets input from a wide area network interface of tlie 
gateway, tliereby building the packets into a virtual stream inside the gateway (note 
paragraph [0070] of Vella); and 

(f) upon said accumulated threat weight exceeding a previously defined threshold 
level, performing an action selected from the group of: 

(i) generating an alert (note page 146 of Schmall), and 

(ii) blocking traffic from the source of the suspicious data (note column 8, lines 5- 
8 of Shipley). 

For claim 15, the combination of Vella, Schmall, Muttik and Shipley teaches a 
stream of data traffic purged of malicious code, according to a method comprising the 
steps of: 

(a) monitoring by the gateway for at least one suspicious portion of data in the 
stream of data traffic (note paragraphs [0055]-[0056] of Vella); 

(b) upon detecting said at least one suspicious portion of data, attempting to 
disassemble said at least one suspicious portion of data thereby attempting to produce 
disassembled code (note paragraph [0064] of Vella). 

Wherein for each instruction in said disassembled code, 

(c) assigning respectively a threat weight for each said instruction (note page 
146, "A heuristic engine based on a weight based system..." of Schmall); and 

(d) accumulating said threat weight to produce an accumulated threat weight 
(note page 146, "A heuristic engine based on a weight based system..." of Schmall). 
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wherein said threat weight for each said instruction is selectively either: 

(i) increased for a legal instruction (note column 5, lines 14-21 of Muttik), and 

(ii) decreased for an illegal instruction (note column 5, lines 14-21 of Muttik). 
wherein upon said accumulated threat weight exceeding a previously defined 

threshold level (note page 146 of Schmall); and 

(e) blocking traffic from the source of the malicious code (note column 8, lines 5- 
8 of Shipley). 

7. Claim 4 is rejected under 35 U.S.C. 103(a) as being unpatentable over the 
combination of Vella and Schmall as applied to claim 3 above, and further in view of 
Touboul (U.S. Patent 6,092,194). 

For claim 4, the combination of Vella and Schmall differs from the claimed 
invention in that they fail to teach: 

Wherein said acceptable data includes acceptable executable code. 

Touboul teaches: 

Wherein said acceptable data includes acceptable executable code (note column 
4, lines 14-40). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the combination of Vella and Schmall and the acceptable 
executable code of Touboul. One of ordinary skill in the art would have been motivated 
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to combine Vella, Schmall, and Touboul because monitoring the data stream for 
executable code that is known to be acceptable would save the system the time and 
resources of disassembling and analyzing the same executable code repeatedly (note 
Fig. 6 of Touboul). 

8. Claims 5, 8-9, 12-13, 18-19 and 21-22 is rejected under 35 U.S.C. 103(a) as 
being unpatentable over the combination of Vella, Schmall and Muttik as applied to 
claims 1,11,17 and 20 above, and further in view of Made (U.S. Patent Application 
Publication 2002/0056076). 

For claim 5, the combination of Vella and Schmall differs from the claimed 
invention in that they fail to teach: 

wherein upon reaching a branch in said disassembled code, further accumulating 
said threat weight respectively for each branch option in said disassembled code, 
thereby producing said accumulated threat weight for each said branch option. 

Made teaches: 

wherein upon reaching a branch in said disassembled code, further accumulating 
said threat weight respectively for each branch option in said disassembled code, 
thereby producing said accumulated threat weight for each said branch option (note 
paragraph [0042]). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the combination of Vella and Schmall and analyzing both sides of 
a branch of Made. One of ordinary skill in the art would have been motivated to 
combine Vella, Schmall and Made because analyzing both portions of a branch would 
provide a more thorough analysis of the executable program. 

For claims 8, 12, 18 and 21, the combination of Vella, Schmall, Muttik and Made 
teaches claims 1,11,17 and 20, wherein said attempting to disassemble is initiated at a 
plurality of initial instructions, each of said initial instructions with a different offset within 
said at least one suspicious portion of data, and said threat weight is accumulated 
respectively for each said offset (note paragraph [0042] of Made). 

For claims 9, 13, 19 and 22, the combination of Vella, Schmall, Muttik and Made 
teaches claims 1,11,17 and 20, wherein said attempting to disassemble is initiated at 
an initial instruction of an address of previously known offset relative to a vulnerable 
return address (note paragraph [0042] of Made). 

Conclusion 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to DAVID J. PEARSON whose telephone number is (571) 
272-071 1 . The examiner can normally be reached on Monday - Friday, 7:30am - 
5:00pm; off every other Friday. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571 ) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retheval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



ID. J. P./ 

Examiner, Art Unit 2437 
/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



